Summary

This module provides authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site by group membership. Similar functionality is
provided by mod_authz_groupfile and
mod_authz_dbm, with the exception that
this module queries a SQL database to determine whether a
user is a member of a group.

This module can also provide database-backed user login/logout
capabilities. These are likely to be of most value when used
in conjunction with mod_authn_dbd.

This module relies on mod_dbd to specify
the backend database driver and connection parameters, and
manage the database connections.

Directives

Bugfix checklist

See also

Apache's Require
directives are used during the authorization phase to ensure that
a user is allowed to access a resource. mod_authz_dbd extends the
authorization types with dbd-group, dbd-login and
dbd-logout.

Since v2.4.8, expressions are supported
within the DBD require directives.

In addition to the standard authorization function of checking group
membership, this module can also provide server-side user session
management via database-backed login/logout capabilities.
Specifically, it can update a user's session status in the database
whenever the user visits designated URLs (subject of course to users
supplying the necessary credentials).

This works by defining two special
Require types:
Require dbd-login and Require dbd-logout.
For usage details, see the configuration example below.

Some administrators may wish to implement client-side session
management that works in concert with the server-side login/logout
capabilities offered by this module, for example, by setting or unsetting
an HTTP cookie or other such token when a user logs in or out.

To support such integration, mod_authz_dbd exports an
optional hook that will be run whenever a user's status is updated in
the database. Other session management modules can then use the hook
to implement functions that start and end client-side sessions.

In conjunction with Require dbd-login or
Require dbd-logout, this provides the option to
redirect the client back to the Referring page (the URL in
the Referer HTTP request header, if present).
When there is no Referer header,
AuthzDBDLoginToReferer On will be ignored.

The AuthzDBDQuery specifies an SQL
query to run. The purpose of the query depends on the
Require directive in
effect.

When used with a Require dbd-group directive,
it specifies a query to look up groups for the current user. This is
the standard functionality of other authorization modules such as
mod_authz_groupfile and mod_authz_dbm.
The first column value of each row returned by the query statement
should be a string containing a group name. Zero, one, or more rows
may be returned.

When used with a Require dbd-login or
Require dbd-logout directive, it will never deny access,
but will instead execute a SQL statement designed to log the user
in or out. The user must already be authenticated with
mod_authn_dbd.

Specifies an optional SQL query to use after successful login
(or logout) to redirect the user to a URL, which may be
specific to the user. The user's ID will be passed as a single string
parameter when the SQL query is executed. It may be referenced within
the query statement using a %s format specifier.

The first column value of the first row returned by the query
statement should be a string containing a URL to which to redirect
the client. Subsequent rows will be ignored. If no rows are returned,
the client will not be redirected.

Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.